Forums

hello again,

So I thought I had my registration and user details forms all working - But I noticed that the username and password are not being updated when I change those values on the form and click save? I did a print_r and the queries to save to the tables looks correct.

is there something special I have to do to change username and password? or is the problem just an issue with my code?
here is what the debug on returned (with my print_r):

_POST: Array ( [key_code] => c37518ce7190ddf7000072b9f37821c5 [username] => refstud2 [password] => refstud123 [cpword] => refstud123 [user_email] => [email]reformedstudent@gmail.com[/email] [first_name] => Andrew [last_name] => Adcock [title] => Fellow [vm_hospitalaffiliation] => none [address_1] => 233 Hamel Av [address_2] => [city] => Glenside [state] => [zip] => [undefined] => Save [27c6d142b7d71304b4bb1bfd6bc7dae9] => 1 )


Your License key is = 3f4a67ed75333603000072c87f3ed85f
UPDATE `#__users` SET `username` = 'refstud2', `password` = 'refstud123' WHERE `user_id` = (236) ;

and here is the save code when the username or password is modified:

<?php
global $row_jos_vm_user_info;
$user =& JFactory::getUser();

echo '<div class="key_page">';
$smuser = $user->id;
if($user->username != $_POST['username'] || $_POST['password']){

$strLogin  = $_POST['username'];

	if($_POST['password']){

		$strPassword = $_POST['password'];

	    /* some key creation code here */

	echo '<br/><br /><h3><b>Your License key is</b> = '.$key.'</h3></div>';	

		/* now save the new data */
		$db =& JFactory::getDBO();
		$query = '
			UPDATE `#__vm_product_license`
		        SET `license_start` = "'.time().'", `key_code` = '.$key.'
		        WHERE `user_id` = '.$smuser.';';
		$db->setQuery($query);
		$db->query();

		//echo print_r($query, true);

		// now the second update
		$q = '
		  UPDATE `#__users`
		    SET `username` = "'.$strLogin .'", `password` = "'.$strPassword .'"
		    WHERE `user_id` = '.$smuser.'';

		$db->setQuery($q);
		$db->query();

		echo print_r($q, true);

	}else{
	echo '<br/><br />
			<h3><b>You must set a new password if you wish to change the username! <br /> 
			No, new license was created.</b></h3>';
	}

}else{

// code if username and password were unchanged 
?>

if the print_r's return a query that works perfectly in mysql - why is the UPDATE not happening??

Hi samoht,

I think that the #__users table should store an MD5 enctrypted and salted version of the password - Joomla does not keep raw passwords for security reasons. I don't think this is the problem you have here but it is a problem with this approach.

There is a getCryptedPassword() method in the User helper and I think you will need to call this.

If you look at the code in the ChronoForms Joomla Registrration PlugIn you can see how this is used. You might be better off adapting the PluGin to your application rather than coding this from scratch.

Bob

Hi Bob,

can I use the plugin - if I am saving to more than one table?

If so, I assume I'll just have to watch my order for running the plugin. Also, will I need to do something special since I am not creating new users but updating existing ones?

Hi samoht,

You may need to copy the plugin and hack your version but it's certainly going to be simpler than working from scratch. You can change the OnSubmit function in the PlugIn to write to anything.

Bob

Yes, I seem to be having a problem with my code because even the UPDATE to the license table is not working when it is the only save active?

Do you see a problem with this:

		/* now save the new license data */
		
		$db =& JFactory::getDBO();
		$query = '
			UPDATE `jos_vm_product_license`
		        SET `license_start` = "'.time().'", `key_code` = '.$key.'
		        WHERE `user_id` = '.$smuser.';';
		$db->setQuery($query);
		$db->query();

OH - yes I found the problem with this the '.$key.' needed "" around it!
I'll try debugging the users table save now

Thanks

Um,

still no go for me. her is my save for the #__users table:

		// now the second update
		$q = '
		  UPDATE `#__users`
		    SET `username` = "'.$strLogin.'", `password` = "'.$strPassword.'"
		    WHERE `user_id` = '.$smuser.'';

		$db->setQuery($q);
		$db->query();

now you were saying something about a problem with the password. Do I need to unset the original password and then encrypt the new password to save it?

Hi samoht,

You will screw up your user table like this and no-one will be able to login.

You *must* correctly encode any passwords that you save in there!!

Bob

OK,
I have been looking for the getCryptedPassword() method you suggested but cannot find it?

I will google it and see if that helps

>>>
can I just include the string password or do I need to set the salt and the encryption?

(e.g. getCryptedPassword($strPassword) )

Hi samoht,

Please check the ChronoForms Joomla Registration PlugIn and the Joomla User Helper and you will find all the code that you need.

Bob

PS Repeating my caution, be very careful writing to the #__users file, you may make your site unusable.

Thanks for your help again.

I am not sure I am understanding the cf_joomla_registration.php methods. I can't see where the save to the db is happening?
Also, If I have 'activation' turned on for user registration - will the users need to re-activate if they change username or password? I don't think they should have too.

the code to get the password is just

$password = JRequest::getString('password', '', 'post', JREQUEST_ALLOWRAW);

I don't see the encryption happening here?

Anyway, sorry to pester -

Hi samoht,

I can't see where the save to the db is happening?

using the juser class, its there!

Also, If I have 'activation' turned on for user registration - will the users need to re-activate if they change username or password? I don't think they should have too.

who said they have to ? I dont think that changing them should be done using the plugin, its just a simple plugin and not a complete user management solution, just a form to insert users, I think I will add extra functions but for now don't do more than this using it!🙂

I don't see the encryption happening here? 

I'm sure its encrypted after that by a few lines too!

Regards
Max

this is the only thing I see that looks like encryption:

		if ($useractivation == '1')
		{
			jimport('joomla.user.helper');
			$user->set('activation', md5( JUserHelper::genRandomPassword()) );
			$user->set('block', '1');
		}

is this right?

Hi Samoht,

Let's go back to first principles . . . what are you trying to do with this form?

I don't understand why you need to change usernames and passwords?

Bob

OK,

I need to be able to change username and password because it is based on these that a users License Key is generated. The License Key lasts for 90 days - after that a user would have to come and reset there username and password in order to generate a new License Key good for another 90 days.

This functionality is NOT my idea - I think it is dumb, but the client insist. 😢

Hi samoht,

and whats the difference between a "license key" and the "password" ? are they the same thing ? what should the user do with a license key ? please tell me the process in brief and we may have a better idea on how to do it!🙂

Regards,
Max

Your client does seem to have some odd ideas..
In any case, you really, really should'nt play around with the #__users table yourself. Especially not when there is a whole class (JUser) there to do the work for you, with all the coherency-checks etc.

$user =& JUser::getInstance($smuser);
$data = array('password' => $strPassword, 'password2' => $strPassword);
if (!$user->bind($data))
{
//Something went wrong, should report it and abort
 
}
if (!$user->save())
{
//Something went wrong, should report it and abort

}

The License Key is a md5 of of the username and the password + a salt and the current date. The site provides a surgical image software for download and the License key unlocks the software. I already have the License Key code working fine - But I need to be able to have the Users generate a new License if there current License expires. Now, I could do this easy enough with the existing info (if I could retrieve the password unencrypted) - but my client thinks that users should be able to change the info if need be.

hopefully this makes sense.

Hi samoht,

You can't get the unencrypted password from Joomla - it only keeps a hashed version. You could always save an encrypted copy in your license file records though.

I think that you can do what you want with the JUser Object. Not tested and will need debugging but try this

<?php
// load the user helper file which includes the password generator
jimport('joomla.user.helper');
$user_info = aray();

// get the current user object
$user =& JFactory::getUser();

$new_password  = JUserHelper::genRandomPassword();

$user_info['username'] = $new_username; 
$user_info['password'] = $new_password;

if ( !$user->bind($user_info)) {
  JError::raiseWarning('', JText::_( $user->getError()));
  return false;
}
if ( !$user->save()) {
  JError::raiseWarning('', JText::_( $user->getError()));
  return false;
}
// add your license generation code here
?>

Bob

Hi samoht,

or may be do it in a way that when you want to regenerate a new license key, you can use the password md5 and not the clear text!

Cheers
Max

Hi Guy's

I morphed some of the advise and made it so the user could update both username and password. Now I'm wondering if I should send them a new email out saying that they changed there username or email - since they wont be able to login with the old username password anymore?

by using the Juser object there is no danger of messing up the whole #__users table correct?

by using the Juser object there is no danger of messing up the whole #__users table correct?

I don't think so!🙂

Hi samoht,

Absolutely - if you want them to have the vaguest chance of logging in. (I have to say again that this a a pretty bizarre business model - I would expect that 80%+ of users will lose their new usernames and passwords and have to come back and ask for them to be replaced.)

I'm making no promises about the safety of the $user methods - they should be Ok but test on a safe site first.

Bob

The only thing you might screw up, would be changing the password for the wrong user. Since I gather it would be the user him/herself that does the updating, a plain JFactory::getUser() should do the trick.
There's a safety-feature in the JUser object that you have to set both password and password2 to the same password (to prevent accidental typos). Anything you don't enter into the array should be left as-is.

I would strongly advice against storing user's password in plaintext within the database, or even an encrypted equivalent. It is very bad practise, and there really is no good reason for doing such.

How about instead simply adding an additional form field where your user should enter his/her password? Then you'd have it in plaintext without having to store it anywhere, and you could also verify it against the user database (added security, should the session become available to 3rd party). Also, you could still offer the possibility of updating login/password information - it simply isn't mandatory anymore.

Edit:
Created (and tested) a small code snippet to verify a submitted password:

<?
jimport('joomla.user.helper');

//Get the user object
$user =& JFactory::getUser();

//Extract the password and hash, split into an array.
$salt = explode(':', $user->password);

//Create a hash for the new password, using the stored salt..
$testcrypt = JUserHelper::getCryptedPassword(JRequest::getVar('password'), $salt[1]);

//Test whether the new hash matches the one stored in the user object:
if ($salt[0] == $testcrypt)
{
 echo('Password ok!');
 //Create the new license key here...
} else
{
 echo('Password mismatch!');
 //Wrong password, take appropriate actions..
}

Thanks for all the help!

I think I will present to the client a model were username and password do not get changed ever. If a new license key needs to be generated I will direct them to another page that asks for their password to continue - then checks that against the db and if correct generates a new license key.

If users want a new username or password they should just register again.

Hi samoht,

That sounds good to me

Bob